Linux Sandbox: add Credentials::SupportsNewUserNS()

sandbox/linux/services/credentials.cc

 // Copyright (c) 2013 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 #include "sandbox/linux/services/credentials.h"
 
 #include <dirent.h>
 #include <errno.h>
 #include <fcntl.h>
+#include <signal.h>
 #include <stdio.h>
 #include <sys/capability.h>
 #include <sys/stat.h>
+#include <sys/syscall.h>
 #include <sys/types.h>
+#include <sys/wait.h>
 #include <unistd.h>
 
 #include "base/basictypes.h"
 #include "base/bind.h"
 #include "base/logging.h"
+#include "base/posix/eintr_wrapper.h"
 #include "base/strings/string_number_conversions.h"
 #include "base/template_util.h"
+#include "base/third_party/valgrind/valgrind.h"
 #include "base/threading/thread.h"
 
 namespace {
 
+bool IsRunningOnValgrind() { return RUNNING_ON_VALGRIND; }
+
 struct CapFreeDeleter {
   inline void operator()(cap_t cap) const {
     int ret = cap_free(cap);
     CHECK_EQ(0, ret);
   }
 };
 
 // Wrapper to manage libcap2's cap_t type.
 typedef scoped_ptr<typeof(*((cap_t)0)), CapFreeDeleter> ScopedCap;
 
@@ skipping 104 matching lines @@
   base::Thread chrooter("sandbox_chrooter");
   if (!chrooter.Start()) return false;
   bool is_chrooted = false;
   chrooter.message_loop()->PostTask(FROM_HERE,
       base::Bind(&ChrootToThreadFdInfo, chrooter.thread_id(), &is_chrooted));
   // Make sure our task has run before committing the return value.
   chrooter.Stop();
   return is_chrooted;
 }
 
+// CHECK() that an attempt to move to a new user namespace raised an expected
+// errno.
+void CheckCloneNewUserErrno(int error) {
+  // EPERM can happen if already in a chroot. EUSERS if too many nested
+  // namespaces are used. EINVAL for kernels that don't support the feature.
+  // Valgrind will ENOSYS unshare().
+  PCHECK(error == EPERM || error == EUSERS || error == EINVAL ||
+         error == ENOSYS);
+}
+
 }  // namespace.
 
 namespace sandbox {
 
 Credentials::Credentials() {
 }
 
 Credentials::~Credentials() {
 }
 
@@ skipping 65 matching lines @@
 }
 
 scoped_ptr<std::string> Credentials::GetCurrentCapString() const {
   ScopedCap current_cap(cap_get_proc());
   CHECK(current_cap);
   ScopedCapText cap_text(cap_to_text(current_cap.get(), NULL));
   CHECK(cap_text);
   return scoped_ptr<std::string> (new std::string(cap_text.get()));
 }
 
+// static
+bool Credentials::SupportsNewUserNS() {
+  // Valgrind will let clone(2) pass-through, but doesn't support unshare(),
+  // so always consider UserNS unsupported there.
+  if (IsRunningOnValgrind()) {
+    return false;
+  }
+
+  // This is roughly a fork().
+  const pid_t pid = syscall(__NR_clone, CLONE_NEWUSER | SIGCHLD, 0, 0, 0);
+
+  if (pid == -1) {
+    CheckCloneNewUserErrno(errno);
+    return false;
+  }
+
+  // The parent process could have had threads. In the child, these threads
+  // have disappeared. Make sure to not do anything in the child, as this is a
+  // fragile execution environment.
+  if (pid == 0) {
+    _exit(0);
+  }
+
+  // Always reap the child.
+  siginfo_t infop;
+  PCHECK(0 == HANDLE_EINTR(waitid(P_PID, pid, &infop, WEXITED)));
+
+  // clone(2) succeeded, we can use CLONE_NEWUSER.
+  return true;
+}
+
 bool Credentials::MoveToNewUserNS() {
   uid_t uid;
   gid_t gid;
   if (!GetRESIds(&uid, &gid)) {
     // If all the uids (or gids) are not equal to each other, the security
     // model will most likely confuse the caller, abort.
     DVLOG(1) << "uids or gids differ!";
     return false;
   }
   int ret = unshare(CLONE_NEWUSER);
-  // EPERM can happen if already in a chroot. EUSERS if too many nested
-  // namespaces are used. EINVAL for kernels that don't support the feature.
-  // Valgrind will ENOSYS unshare().
-  PCHECK(!ret || errno == EPERM || errno == EUSERS || errno == EINVAL ||
-         errno == ENOSYS);
   if (ret) {
+    const int unshare_errno = errno;
     VLOG(1) << "Looks like unprivileged CLONE_NEWUSER may not be available "
             << "on this kernel.";
+    CheckCloneNewUserErrno(unshare_errno);
     return false;
   }
+
   // The current {r,e,s}{u,g}id is now an overflow id (c.f.
   // /proc/sys/kernel/overflowuid). Setup the uid and gid maps.
   DCHECK(GetRESIds(NULL, NULL));
   const char kGidMapFile[] = "/proc/self/gid_map";
   const char kUidMapFile[] = "/proc/self/uid_map";
   CHECK(WriteToIdMapFile(kGidMapFile, gid));
   CHECK(WriteToIdMapFile(kUidMapFile, uid));
   DCHECK(GetRESIds(NULL, NULL));
   return true;
 }
 
 bool Credentials::DropFileSystemAccess() {
   // Chrooting to a safe empty dir will only be safe if no directory file
   // descriptor is available to the process.
   DCHECK(!HasOpenDirectory(-1));
   return ChrootToSafeEmptyDir();
 }
 
 }  // namespace sandbox.